P LU S C O M M U N I C A T I O N S

PLUS Communications
109180, , ,
1- ., 11-
.: +7 (095) 238-3711
: +7 (095) 238-3777
http://www.pluscom.ru

Cisco Systems Russia

113054, , ,
., 52
.: +7(095)961-1410
: +7(095)961-1469
http://www.cisco.com

Cisco IOS

Network Address Translation

, 1999

Cisco IOS. NAT

........................................................................................................................................... 4
NAT -............................................................................... 4
NAT.......................................................................................................................... 4
NAT .......................................................................................................................... 5
, NAT .................................................................................. 5
Source........................................................................................... 6
....................................................................................... 7
................................................................................... 7
................................................................ 8
........................................................................................... 9
............................................................................. 10
.......................................................................... 11
TCP ................................................................................... 11
- ................................................................................................ 13
NAT .............................................................................................. 14

Copyright 1998 Cisco Systems, Inc., 1999 PLUS Communications

Cisco IOS. NAT

, ,
IP .
NAT (Network Address Translation), , Cisco IOS . , , . ,
, NAT , (Private Subnets),
, IP.
NAT ,
, CIDR (Classless Interdomain Routing). NAT RFC 1631.

NAT -
NAT :
- , IP. NAT IP, ,
. NAT , () (, ). ,
. NAT IP.
- . , ,
, NAT
.
- TCP.
NAT (mapping) , TCP.
(connectivity problems), NAT
. , ,
, . . , - - , .

NAT
NAT ,
, , . , NAT ,
.
IP, NAT.
NAT, , NAT. , NAT ,
, .
, NAT, , , . NAT , . , NAT Source
( ) .
Copyright 1998 Cisco Systems, Inc., 1999 PLUS Communications

Cisco IOS. NAT

,
. , NAT .
,
. ICMP, (Host Unreachable).
, NAT, . , , NAT , .

NAT
, ,
, .
, ,
NAT. , .
,
. . , . , .
, NAT:
- (Inside local address). IP, . , NIC (Network Information Center) .
- (Inside global address). NIC .
.
- (Outside local address). IP,
, .
. ,
.
- (Outside global address). IP, . .

, NAT
, NAT,
.
, NAT .

Copyright 1998 Cisco Systems, Inc., 1999 PLUS Communications

Cisco IOS. NAT

Source
NAT IP , ,
. :
- ,
.. . ,
(, WWW).
- .
. 1 , , Source
IP .

. 1. Source

Source,
. 1:
1. 1.1.1.1 .
2. , 1.1.1.1 , NAT.
- , 3.
- , ,
- (SA, Source Address) 1.1.1.1 .
. (Simple Entry).
3. 1.1.1.1 (2.2.2.2), .
4. 1.1.1.1
(DA, Destination Address) 2.2.2.2.
5. ,
NAT, .
1.1.1.1, 1.1.1.1.
6. 1.1.1.1 . , 2 5, .

Copyright 1998 Cisco Systems, Inc., 1999 PLUS Communications

Cisco IOS. NAT

,

,

ip nat inside source static < > < >

interface <> <>
ip nat inside
interface <> <>
ip nat outside

.

.

ip nat pool <> < >

< > [netmask <
> prefix-length <
>]
access-list <> permit <
>

, ,
ip nat inside source list <
, - > pool <>

interface <> <>

ip nat inside
,
interface <> <>

ip nat outside
,
. , ( ,
deny all). ,
.
-,
1 ( 192.168.1.0/24), , net-208. 171.69.233.208 171.69.233.233.
ip nat pool net-208 171.69.233.208 171.69.233.233 netmask
255.255.255.240
ip nat inside source list 1 pool net-208
!
interface serial 0
ip address 171.69.232.182 255.255.255.240
ip nat outside
!
interface ethernet 0
ip address 192.168.1.94 255.255.255.0
ip nat inside
!
access-list 1 permit 192.168.1.0 0.0.0.255
Copyright 1998 Cisco Systems, Inc., 1999 PLUS Communications

Cisco IOS. NAT

. , (, TCP UDP)
. TCP UDP .
. 2 NAT,
. TCP .

. 2.

, . 2. 2.2.2.2. .
TCP. ,
IP, TCP.
1. 1.1.1.1 .
2. , 1.1.1.1 , NAT.
, ,
1.1.1.1 , 1.1.1.1 .
, , . (Extended Entry).
3. 1.1.1.1
.
4. 1.1.1.1,
2.2.2.2.
5. 2.2.2.2 NAT, ,
, .
1.1.1.1, 1.1.1.1.
6. 1.1.1.1 . , 2 5 .
:
Copyright 1998 Cisco Systems, Inc., 1999 PLUS Communications

Cisco IOS. NAT

ip nat pool <> < >

< > [netmask <
> prefix-length <
>]
access-list <> permit < >
ip nat inside source list <
> pool <> overload
interface <> <>
ip nat inside

, ,

,

,

interface <> <>

ip nat outside

. , ( ,
deny all). ,
.
, net-208. 171.69.233.208 171.69.233.233. 1 , 192.168.1.0 192.168.1.255.
, , 1,
. (
192.168.1.0 192.168.1.255) .
.
ip nat pool net-208 171.69.233.208 171.69.233.233 netmask
255.255.255.240
ip nat inside source list 1 pool net-208 overload
!
interface serial0
ip address 171.69.232.182 255.255.255.240
ip nat outside
!
interface ethernet0
ip address 192.168.1.94 255.255.255.0
ip nat inside
!
access-list 1 permit 192.168.1.0 0.0.0.255

NAT , IP,

. , , ,
. , , (Overlapping). NAT
, .
NAT , ,
.
. 3 NAT .

Copyright 1998 Cisco Systems, Inc., 1999 PLUS Communications

Cisco IOS. NAT

. 3.

, :
1. 1.1.1.1 ,
DNS.
2. DNS ,
( ,
).
, 1.1.1.3 .
DNS, .
, .
3. 1.1.1.1 3.3.3.3.
4. , .
5. .
6. .
7.
.
8. 1.1.1.1 , .

-, :

,

,

ip nat outside source static

< > < >
interface <> <>
ip nat inside
interface <> <>
ip nat outside

Copyright 1998 Cisco Systems, Inc., 1999 PLUS Communications

10

Cisco IOS. NAT

-, :

ip nat pool <> < > < > [netmask

< > prefix-length
< >]
access-list <> permit < >
ip nat outside source list <
> pool <>

-,
,

,

,

interface <> <>

ip nat inside
interface <> <>
ip nat outside

. , ( ,
deny all). ,
.
- . . net-10 IP. ip nat outside
source list 1 pool net-10
.
ip nat pool net-208 171.69.233.208 171.69.233.223 prefix-length 28
ip nat pool net-10 10.0.1.0 10.0.1.255 prefix-length 24
ip nat inside source list 1 pool net-208
ip nat outside source list 1 pool net-10
!
interface serial 0
ip address 171.69.232.192 255.255.255.240
ip nat outside
!
interface ethernet0
ip address 192.168.1.94 255.255.255.0
ip nat inside
access-list 1 permit 192.168.1.0 0.0.0.255

TCP
NAT . ,
, , . NAT , . , , . round-robin, . - .
. 4.

Copyright 1998 Cisco Systems, Inc., 1999 PLUS Communications

11

Cisco IOS. NAT

. 4.

:
1. (9.6.7.3) 1.1.1.127.
2.
, (1.1.1.1) IP.
3. .
4. 1.1.1.1 .
5. NAT,
.
.
1.1.1.2
.
NAT
. NAT
.
. .

ip nat pool <> < > < > [netmask

< > prefix-length
< >]
access-list <> permit <
>
ip nat inside destination list
< > pool <>

,



,

,

,

interface <> <>

ip nat inside
interface <> <>
ip nat outside

Copyright 1998 Cisco Systems, Inc., 1999 PLUS Communications

12

Cisco IOS. NAT

. , ( ,
deny all). ,
.
,
. . .
, Serial 0 ( ), , .
ip nat pool real-hosts 192.168.15.2 192.168.15.15 prefix-length 28
type rotary
ip nat inside destination list 2 pool real-hosts
!
interface serial 0
ip address 192.168.15.129 255.255.255.240
ip nat outside
!
interface ethernet 0
ip address 192.168.15.17 255.255.255.240
ip nat inside
!
access-list 2 permit 192.168.15.1

-
. -,
.
(overloading),
24 . - :

ip nat translation timeout < - >

. overloading
.
overloading, -
, ,
. - :

- UDP ( 5 )
- ( 1 )
- TCP ( 24 )
- Finish Reset
( 1 )

ip nat translation udp-timeout

< >
ip nat translation dns-timeout
< >
ip nat translation tcp-timeout
< >
ip nat translation finrst-timeout
< >

Copyright 1998 Cisco Systems, Inc., 1999 PLUS Communications

13

Cisco IOS. NAT

NAT
. , NAT
:

NAT

,
,


,

clear ip nat translation *

clear ip nat translation inside
< > < > [outside < >
< >]
clear ip nat translation outside
< > < >
clear ip nat translation <> inside < >
< > < > < > [outside
< > <
> < > < >]

NAT :

show ip nat translations [verbose]

show ip nat statistics

Copyright 1998 Cisco Systems, Inc., 1999 PLUS Communications

14